EsteemAudit – Potential for Another WannaCry-like Attacks

There may be a possible ‘second wave’ of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers release. The WannaCry emergency cannot be ended because the NSA Tools leaked by the Shadow Brokers team included many other dangerous exploits.

Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to provide a patch for other three NSA hacking tools, dubbed “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.

The availability of such exploits and hacking tools represents a serious problem. An attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk” continues Microsoft.

Let’s start with the EsteemAudit exploit. It is a hacking tool that targets RDP service (port 3389) on machines running Microsoft Windows Server 2003 / Windows XP which is no longer supported.

“It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit” quoted in Ensilo blog. Most of the ATMs in India still have unsupported Microsoft Windows XP as their base operating systems.

“Even one infected machine opens your enterprise to greater exploitation,” explained the security researchers Omri Misgav and Tal Liberman who works for the Ensilo cyber security firm. They developed an unofficial patch for EsteemAudit exploit.

“In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry” reads a blog post from Ensilo.

Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. Threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction.

Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today. The cyber security industry estimates that more than 600,000 web-facing computers which host upwards of 175 million websites still run Windows Server 2003 accounting for roughly 18 percent of global market share.

There are many malware in the wild that already infects systems. Using malware as attack vector the RDP protocol (Crysis, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks.

When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall.

There are unofficial patches available provided by few security companies like EnSilo.